State Utilities Girding Their Cyber Defenses

ARTHUR HOUSE | OP-EDThe Hartford Courant

Although the world enjoys unimagined accomplishments from digital communication, the dark side also compels our attention.

Cyber offense and defense are rapidly evolving forms of warfare. Our public utilities are among the targets foreign powers have penetrated. Our vital public services are vulnerable. U.S. national security leadership has seen the exercise of cyber probes and weaponry, some in overt military action and others, including foreign actions in the United States, more exploratory — "battlefield preparation," in military terms.

For public utilities and the states that regulate them, cyber threats risk denial of electricity, water, natural gas and telecommunications. Our state emergency managers include cyber threats in their portfolio of hurricanes, ice storms, other natural disasters and physical sabotage. Cyber threats present a new dimension to emergency management with potentially devastating consequences and without the certainty of adequate defenses.

The threats are serious and obviously unwelcome to utilities and their consumers, who have three basic interests at stake: assurance of high-quality service, resilient systems to deliver those services and reasonable cost. State regulators have enough work paying attention to all three, especially given aging infrastructure and the changes posed by cheap natural gas and the advent of renewable energy options. Hurricanes and the like already provide enough resiliency difficulties.

What should state regulators do in light of this major challenge, which is a modern weapon, and therefore —- like other national security matters — appropriately in the hands of the intelligence community and military? Most utilities, and certainly Connecticut's larger utilities, take the threat seriously and manage protective systems, while intelligence officials are concerned by foreign penetration and the adequacy of our nation's utility security systems.

What should utilities spend to upgrade their defenses? To what extent should they engage one of our nation's greatest cyber assets — private sector firms — to assess and remedy security gaps?

The costs of defense are financial and social. Today, the cost of physical security — both systems and armed forces — at some nuclear generation facilities equals the cost of operations. Storm-related outages provoke public outrage over service interruption. How much more should the ratepayer contribute to cyber security, and how should the money be spent? How can state regulators determine where adequacy ends and unnecessary costs begin?

As for social costs, the tension between individual liberties and security is clearly at play. Stringent controls to thwart cyber disruption might significantly diminish civil liberties. The obviously unacceptable alternative of a police state would make us safer from cyber attacks. But how much risk can and should we accept to protect those freedoms that define who we are?

Firearms and automobiles have brought security and mobility, but the costs of death and suffering have compelled reckoning and regulation. Similarly, cyber threats are a dark side of the revolutionary life changes enabled by the computer, Internet and digital revolution. The possibility of a hacker or nation-state disabling a water system, gas pipeline or electric grid, or leaving us unable to communicate or access financial or health data, are real. The public deserves to know what the threats are, and how their government is responding.

We have work to do at all levels of government. At the federal level, we count on intelligence and defense officials to protect us — but also to communicate with us. Trust depends upon credibility and requires active, skilled management. Inadequate information and weak congressional oversight and partnership do not build public confidence.

State regulators cannot become national security officers to combat what is basically a national security challenge. But they can set standards, collaborate with public utilities and accept reasonable, well-designed expenses to enhance safety. Connecticut is intensifying its work with its public utilities, which long ago started their cyber defense programs and initiated planning for dealing with disruption. Several strengthening steps are possible, such as requiring utilities annually publish a statement from a reputable security company affirming (or not) that the company takes reasonable steps to ensure cyber security.

The most difficult adjustment lies with all of us — understanding and accepting the reality of cyber vulnerability and its unpredictable consequences. In the past, Americans have been able to take action, find reasonable solutions and do what makes sense without giving up the essential. We can do it with cyber, but it's time to kick into gear. The threat is real, and the work will be demanding.

Arthur House is chairman of the Connecticut Public Utilities Regulatory Authority. He was previously director of communications for the Director of National Intelligence.